DEV Community: Lulu

Do You Have a Website? Are You Worried About Hackers Attacking It?

Lulu — Sat, 14 Sep 2024 07:16:41 +0000

Did you know that 30% of all traffic on the internet comes from malicious attacks? If you’ve done web development or managed a website, you’re probably familiar with terms like SQL injection, CC attacks, XSS, and WebShell. If your website logs show strange, suspicious requests, it could be a sign that hackers are already targeting your site.

Today, I’d like to recommend SafeLine, a highly regarded web protection tool in the security community. Simply put, it’s an enhanced version of Nginx with built-in security features. Developed using industry-leading semantic analysis detection technology, SafeLine acts as a reverse proxy, protecting your website from hacker attacks.

SafeLine is backed by Chaitin Technology, a company with deep expertise in web security. Since 2015, they’ve been delivering commercial WAF (Web Application Firewall) solutions. Now, they’ve released an open-source version of SafeLine, making key features like its detection algorithms, communication protocols, and plugins available to the public. Although the control panel isn’t open-sourced, this doesn’t affect its usability.

You can check out the project on GitHub: https://github.com/chaitin/safeline

Installation Experience

SafeLine offers various deployment options on its official website, with the simplest being a one-click installation:

git clone https://github.com/chaitin/SafeLine.git
cd SafeLine
bash ./release/latest/setup.sh

Once the command is executed, open your browser and visit 127.0.0.1:9443 to access the SafeLine control panel, where you can log in and start using it immediately.

Key Features from Leading Tech Companies:

Attack Logs: View logs and statistics of hacker attacks.
Access Control: Configure blacklists and whitelists based on IP, Host, Path, Header, and Body.
Rate Limiting: Limit client access based on IP and session to effectively defend against CC attacks.
Human vs Bot Verification: Detect whether a client is a human or a bot, helping to block web crawlers and automated attacks.
Semantic Analysis Engine: An enterprise-grade detection engine with high performance, capable of 0-day protection.

Real-World Testing

How does SafeLine perform in a production environment?
To test its effectiveness, I used blazeHTTP, an attack validation tool, to launch attacks against a website protected by SafeLine.

The results were impressive: SafeLine achieved an accuracy rate of over 99%, while maintaining a processing latency of under 1 millisecond. These numbers outperform even the enterprise-level WAF solutions provided by major security vendors.

Unique Features

SafeLine, developed over a span of 10 years, is a next-generation web application firewall. Its detection engine is powered by intelligent semantic analysis, which interprets the behavioral patterns of attacks to recognize and block them effectively.

	Traditional WAF	SafeLine
Ease of Use	Complex configuration, prone to errors	Simple and user-friendly, shields complex underlying security details
Cost	Free version is insufficient, professional version is expensive	Free community version, fully sufficient for personal sites
Performance	Performance degrades significantly, good results require professional hardware	Latency under 1ms, single-core TPS over 2000, no need for specialized hardware

In Conclusion

SafeLine is a simple to use, powerful, and free WAF that you can trust for website security. As the only next-gen WAF to have been showcased at the Black Hat Arsenal, its security credentials are solid.

Check it out on GitHub and give it a star if you’re interested:https://github.com/chaitin/safeline

Why You Need This Decade-Old Open-Source WAF for Ultimate Web Protection

Lulu — Sat, 14 Sep 2024 03:49:45 +0000

Here’s a strong recommendation for an open-source WAF (Web Application Firewall) that’s been developed for nearly 10 years. It comes in both community and professional editions, and the community edition(free) is more than capable of handling most use cases.

1. What is a WAF?

Let’s start with the basics for those who might not be familiar:

A WAF (Web Application Firewall) is a security solution deployed in front of websites at the application layer, offering protection through the following features:

Web Vulnerability Protection:

Detects and blocks common web attacks like SQL injection, XSS (cross-site scripting), and more via predefined rules.
Anti-CC Attack:

Provides protection against large-scale attacks like DDoS by filtering malicious traffic.
Access Control:

Allows filtering based on IP address, region, or suspicious requests.
Security Policy Enforcement:

Ensures input validation and error masking based on security standards like OWASP and PCI-DSS.
Encrypted Communication:

Supports SSL certificates and HTTPS traffic control to secure communication.

2. Introducing Safeline WAF

Today, I’m recommending Safeline, a WAF developed by Chaitin Technology over the last 10 years. Powered by an intelligent semantic analysis algorithm, it’s built for the community, and its robust detection capabilities ensure hackers won’t breach your defenses.

Installation

Operating System: Linux
Architecture: x86_64
Software Dependencies:
- Docker version 20.10.6 or higher
- Docker Compose version 2.0.0 or higher
Minimal Setup: 1 CPU core, 1 GB RAM, 10 GB disk space

You can install it with just one command:

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

To log into the management console, open your browser and visit https://<your-ip>:9443. Follow the instructions on the screen.

If you can access GitHub, download it directly from: https://github.com/chaitin/safeline

If GitHub is inaccessible, try the demo at: https://demo.waf.chaitin.com:9443/dashboard

3. Key Features

Here’s a breakdown of Safeline’s major highlights:

Ease of Use:

The WAF is containerized for quick deployment with a single command, reducing installation complexity. Pre-configured security settings allow you to use it right out of the box, simplifying management.
Security Performance:

Safeline uses an in-house developed intelligent semantic analysis algorithm to detect unknown threats. It doesn’t rely on traditional signature rules, making it effective against 0-day attacks. The detection is precise with low false-positive rates, offering reliable protection.
Detection Performance:

Safeline operates with a rule-free engine and high-efficiency algorithms that keep latency in the millisecond range. Its high concurrency handling allows a single CPU core to support heavy traffic, with excellent horizontal scaling capability.
High Availability:

The WAF’s traffic processing engine is built on Nginx, ensuring stability and reliability. It also comes with a built-in health-check mechanism, providing an impressive uptime of 99.99%.

Protect Your Site from Hackers with SafeLine: A Free and Open-Source WAF

Lulu — Sat, 14 Sep 2024 03:29:52 +0000

Today, I want to introduce you to a highly praised open-source Web Application Firewall (WAF) — Safeline.

Safeline is a free, simple-to-use, and powerful WAF that can protect your website from hacker attacks. It’s based on industry-leading semantic detection technology and functions as a reverse proxy, making it easy to integrate into your existing infrastructure. With its intelligent semantic analysis engine, Safeline was built for the community and ensures hackers can’t breach your defenses.

Key Features

1. Ease of Use

Safeline is containerized, so you can deploy it with a single command. It’s a zero-cost setup, and its security configuration works out of the box with no manual intervention needed. You can enjoy peace of mind with hands-off security management.

2. Top-Tier Security

At the core of Safeline is an industry-first intelligent semantic analysis algorithm. This technology offers precise detection, low false positives, and is difficult to bypass. Because the detection engine doesn’t rely on traditional rule sets, it can effectively handle unknown zero-day attacks without a hitch.

3. High Performance

Safeline operates with a rule-free engine and a linear detection algorithm, boasting an average request inspection latency of just 1 millisecond. It’s highly scalable too, easily handling over 2,000 TPS (transactions per second) per core. With the right hardware, Safeline can support virtually unlimited traffic.

4. High Availability

The traffic handling engine is built on Nginx, ensuring both performance and stability. It also comes with a robust health-check mechanism, providing 99.99% uptime for your service.

Installation Guide

Requirements

Operating System: Linux
Architecture: x86_64
Software Dependencies: Docker version 20.10.6 or above, Docker Compose version 2.0.0 or above
Minimal Environment: 1 CPU core, 1 GB RAM, 10 GB disk space

One-Click Installation

Run this command to install Safeline:



bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

Quick Setup

Open your browser and go to https://<your-ip>:9443 to access the admin panel. Follow the on-screen instructions to log in.

Configure Your Protected Sites

Safeline works as a reverse proxy, intercepting traffic before it reaches your web server. It detects and filters out malicious requests, forwarding only clean traffic to your server.

TIP: After configuration, use the following command to check if your site is properly set up:



curl -H "Host: <your-domain>" http://:<port>

Testing the WAF

To test Safeline’s protection, simulate a hacker attack by visiting the following URLs:

http://<your-IP-or-domain>:<port>/?id=1%20AND%201=1
http://<your-IP-or-domain>:<port>/?a=

Conclusion

If you’re looking for a free and open-source WAF, give Safeline a try. It’s a great option for protecting your website from the ever-growing threat of hacker attacks.

Official Website: https://waf.chaitin.com
GitHub Repository: https://github.com/chaitin/safeline

How to Configure and Use SafeLine's Syslog for Real-Time Attack Logging

Lulu — Fri, 13 Sep 2024 11:22:12 +0000

To configure Syslog with SafeLine and ensure real-time synchronization of attack logs to a third-party server, follow the instructions below:

Syslog Configuration for SafeLine

1.Enable Syslog Forwarding:

Go to the System page in SafeLine, and configure the Syslog settings by providing the necessary details. Syslog forwarding uses the UDP protocol and follows the RFC-5424 standard for log formatting.

2.Test Syslog Configuration:

After configuring Syslog, click the Test button. If the Syslog server receives the following message, it indicates successful configuration:

   <30>1 2024-03-20T20:02:38+08:00 55ae65e87e75 /matio/mario 1 safeline_event - Connectivity test requested.

Syslog Event Format in SafeLine

SafeLine logs sent via Syslog are formatted in JSON and contain detailed information about each request, including attack events. Below is an example of the SafeLine Syslog event format:

{
  "scheme": "http",
  "src_ip": "12.123.123.123",
  "src_port": 53008,
  "socket_ip": "10.2.71.103",
  "upstream_addr": "10.2.34.20",
  "req_start_time": 1712819316749,
  "rsp_start_time": null,
  "req_end_time": 1712819316749,
  "rsp_end_time": null,
  "host": "safeline-ce.chaitin.net",
  "method": "GET",
  "query_string": "",
  "event_id": "32be0ce3ba6c44be9ed7e1235f9eebab",
  "session": "",
  "site_uuid": "35",
  "site_url": "http://safeline-ce.chaitin.net:8083",
  "req_detector_name": "1276d0f467e4",
  "req_detect_time": 286,
  "req_proxy_name": "16912fe30d8f",
  "req_rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "req_location": "urlpath",
  "req_payload": "",
  "req_decode_path": "",
  "req_rule_module": "m_rule",
  "req_http_body_is_truncate": 0,
  "rsp_http_body_is_truncate": 0,
  "req_skynet_rule_id_list": [65595, 65595],
  "http_body_is_abandoned": 0,
  "country": "US",
  "province": "",
  "city": "",
  "timestamp": 1712819316,
  "payload": "",
  "location": "urlpath",
  "rule_id": "m_rule/9bf31c7ff062936a96d3c8bd1f8f2ff3",
  "decode_path": "",
  "cookie": "sl-session=Z0WLa8mjGGZPki+QHX+HNQ==",
  "user_agent": "PostmanRuntime/7.28.4",
  "referer": "",
  "timestamp_human": "2024-04-11 15:08:36",
  "resp_reason_phrase": "",
  "module": "m_rule",
  "reason": "",
  "proxy_name": "16912fe30d8f",
  "node": "1276d0f467e4",
  "dest_port": 8083,
  "dest_ip": "10.2.34.20",
  "urlpath": "/webshell.php",
  "protocol": "http",
  "attack_type": "backdoor",
  "risk_level": "high",
  "action": "deny",
  "req_header_raw": "GET /webshell.php HTTP/1.1\r\nHost: safeline-ce.chaitin.net:8083\r\nUser-Agent: PostmanRuntime/7.28.4\r\nAccept: */*\r\nAccept-Encoding: gzip, deflate, br\r\nCache-Control: no-cache\r\nCookie: sl-session=Z0WLa8mjGGZPki+QHX+HNQ==\r\nPostman-Token: 8e67bec1-6e79-458c-8ee5-0498f3f724db\r\nX-Real-Ip: 12.123.123.123\r\nSL-CE-SUID: 35\r\n\r\n",
  "body": "",
  "req_block_reason": "web",
  "req_attack_type": "backdoor",
  "req_risk_level": "high",
  "req_action": "deny"
}

This format includes critical details like the source IP, request method, target URL, detected attack type, risk level, and actions taken by SafeLine.

By setting up Syslog forwarding in SafeLine, administrators can seamlessly integrate with external monitoring and security systems to analyze attack events and ensure enhanced security management.

GitHub:https://github.com/chaitin/SafeLine
Website:https://waf.chaitin.com

How to Set Up SSL Protocols and Cipher Suites with SafeLine WAF

Lulu — Fri, 13 Sep 2024 10:59:42 +0000

SSL Protocol and Cipher Configuration Guide for SafeLine

SafeLine allows you to configure SSL protocols and encryption settings for your web applications. Below are the steps for setting up SSL certificates, adjusting SSL protocol versions, and customizing SSL cipher suites.

SSL Certificate Configuration

If your site requires HTTPS access, you can enable SSL by uploading an SSL certificate when configuring the corresponding port.

SSL Protocol Version Configuration

SafeLine supports several SSL and TLS protocol versions. You can modify the SSL version in the SSL Protocol section, choosing from:TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 SSLv2 SSLv3

SSL Cipher Configuration

In some cases, specific SSL encryption algorithms may need to be adjusted due to security concerns or vulnerabilities. SafeLine allows for custom SSL cipher suites. Here are some commonly used SSL cipher combinations:

Nginx Official Example: AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5
Cloudflare Recommended: [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305|ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]:ECDHE+AES128:RSA+AES128:ECDHE+AES256:RSA+AES256:ECDHE+3DES:RSA+3DES
Mozilla Modern (TLS 1.3): TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Mozilla Intermediate (TLS 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
Mozilla Old Backward Compatibility (TLS 1.0 - 1.2): ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256
Cipherli Recommendation: EECDH+AESGCM:EDH+AESGCM
High-Strength Cipher Suite: HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4:!RSA

By customizing these configurations, you can ensure a secure and optimized SSL setup tailored to your application’s requirements.

Deploying Static Files for Website Hosting in SafeLine

Lulu — Fri, 13 Sep 2024 10:05:13 +0000

How to Host a Website Using Static Files with SafeLine

In SafeLine version 6.6.0 and above, you can easily host websites using static files. This guide will walk you through the steps to set up a site using static resources and provide solutions for common issues you might encounter.

Step 1: Select Static File Hosting

When adding a new site in SafeLine, choose the Static Files option for site creation.

Step 2: Verify Success

After setting up the site, try visiting the site’s URL. If you see the default page, it means the static hosting setup was successful.

Step 3: Upload Your Static Files

Once the default page is visible, you can go to the Site Details section and upload your custom static files.

FAQ

What if the uploaded files exceed the size limit?

If your static files exceed the upload limit, you can manually upload them to the appropriate directory on the WAF server.

Directory path: installation_directory/resources/nginx/static/static_${SITE_ID}

You can find the SITE_ID by looking at the site details URL. For example, if the URL is https://xxxx:9443/sites/detail?id=12, the site ID is 12.

By following these steps, you’ll be able to quickly host static websites using SafeLine and manage your site with ease!

GitHub:https://github.com/chaitin/SafeLine
Website:https://waf.chaitin.com

Guide to SafeLine Open API: Secure Your Access with API Tokens

Lulu — Fri, 13 Sep 2024 09:39:17 +0000

SafeLine Open API Guide: API Token Authentication

In the latest version of SafeLine (v6.6.0 and above), the Open API now supports API token-based authentication. Although official API documentation is not currently available, you can scrape it yourself if needed.

Requirements:

You must be logged in using the default admin account to access this feature.
SafeLine version must be at least 6.6.0.

GitHub:https://github.com/chaitin/SafeLine
Demo:https://demo.waf.chaitin.com:9443/dashboard

How to Use the Open API

Step 1: Create an API Token

First, navigate to System Management in SafeLine and generate an API token.

Step 2: Include the API Token in Your Requests

When making API calls, you need to include the token in the request headers like this:

"X-SLCE-API-TOKEN": "Your API Token from SafeLine"

Example: Using API Token in Python to Add a Site

Below is an example of how to use the SafeLine Open API with an API token to add a new site in Python.

import requests
import json

# Define the header with your API token
header = {
    "X-SLCE-API-TOKEN": "Your API Token from SafeLine"
}

# API endpoint to add a site
url = 'https://<safeline_ip>:9443/api/open/site'

# Payload containing site details
payload = {
    "ports": ["80"],
    "server_names": ["*"],
    "upstreams": ["http://127.0.0.1:9443"],
    "comment": "",
    "load_balance": {
        "balance_type": 1
    }
}

# Convert payload to JSON
payload = json.dumps(payload)

# Send the POST request
response = requests.post(url=url, headers=header, data=payload, verify=False)

# Check the response
print(response.status_code)
print(response.json())

Explanation:

The header contains the required API token for authentication.
The URL is the endpoint for adding a site (/api/open/site).
The payload specifies details about the site such as ports, server names, upstreams, and load-balancing configuration.

By following these steps, you can securely interact with SafeLine's Open API using token-based authentication, enabling you to automate and manage your web security setup with ease.

How to Secure Your Kubernetes with Ingress-Nginx and SafeLine

Lulu — Fri, 13 Sep 2024 09:18:12 +0000

Integrating Ingress-Nginx with SafeLine Community Edition

Prerequisites:

SafeLine version ≥ 5.6.0

Preparing SafeLine Configuration

First, configure SafeLine by using a ConfigMap to define the detection engine's host and port. Below is an example configuration:

# safeline.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: safeline
  namespace: ingress-nginx
data:
  host: "detector_host"  # Replace with your SafeLine detection engine address
  port: "8000"           # Default port for SafeLine

To create the ConfigMap in Ingress-Nginx, run the following commands:

kubectl create namespace ingress-nginx
kubectl apply -f safeline.yaml

Fresh Installation with Helm

If you don't have Ingress-Nginx installed yet, you can install it using Helm. For detailed instructions, refer to the Ingress-Nginx official documentation.
Once ready, replace the image and configure the SafeLine plugin by using the following values.yaml:

# values.yaml
controller:
  kind: DaemonSet
  image:
    registry: docker.io
    image: chaitin/ingress-nginx-controller
    tag: v1.10.1
  extraEnvs:
    - name: SAFELINE_HOST
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: host
    - name: SAFELINE_PORT
      valueFrom:
        configMapKeyRef:
          name: safeline
          key: port
  service:
    externalTrafficPolicy: Local  # To capture real client IPs
  config:
    plugins: safeline
  admissionWebhooks:
    patch:
      image:
        registry: docker.io
        image: chaitin/ingress-nginx-kube-webhook-certgen
        tag: v1.4.1

To install the controller, use this command:

helm upgrade --install ingress-nginx ingress-nginx \
  --repo https://kubernetes.github.io/ingress-nginx \
  --namespace ingress-nginx --create-namespace \
  -f values.yaml

Build Your Own Ingress-Nginx Image

If you'd prefer to build the image yourself, here’s a sample Dockerfile that adds the SafeLine plugin:

FROM registry.k8s.io/ingress-nginx/controller:v1.10.1
USER root
RUN apk add --no-cache make gcc unzip wget
# Install Luarocks
RUN wget https://luarocks.org/releases/luarocks-3.11.0.tar.gz && \
    tar zxpf luarocks-3.11.0.tar.gz && \
    cd luarocks-3.11.0 && \
    ./configure && \
    make && \
    make install && \
    cd .. && \
    rm -rf luarocks-3.11.0 luarocks-3.11.0.tar.gz
RUN luarocks install ingress-nginx-safeline && \
    ln -s /usr/local/share/lua/5.1/safeline /etc/nginx/lua/plugins/safeline
USER www-data

Adding SafeLine to Existing Ingress-Nginx Installations

Step 1: Install the SafeLine Plugin

Refer to the Dockerfile above and use luarocks to install the SafeLine plugin in your default Nginx plugin directory.

Step 2: Configure the SafeLine Plugin

Use the safeline.yaml file to create the necessary ConfigMap:

kubectl apply -f safeline.yaml

In your Ingress-Nginx configuration, enable the SafeLine plugin:

# ingress-nginx-controller-configmap.yaml
apiVersion: v1
kind: ConfigMap
metadata:
  name: ingress-nginx-controller
  namespace: ingress-nginx
data:
  plugins: "safeline"

Step 3: Inject SafeLine Environment Variables

Add the environment variables to your Ingress-Nginx Deployment or DaemonSet so the SafeLine plugin can read them:

# ingress-nginx-controller-deployment.yaml
...
env:
  - name: SAFELINE_HOST
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: host
  - name: SAFELINE_PORT
    valueFrom:
      configMapKeyRef:
        name: safeline
        key: port

Step 4: (Optional) Capture Real Client IP

To capture real client IP addresses, ensure that the externalTrafficPolicy in your Nginx service is set to Local.

Testing SafeLine Plugin

You can test if the SafeLine plugin is working by simulating a malicious request:

curl http://localhost:80/ -H "Host: example.com" -H "User-Agent: () { :; }; echo; echo; /bin/bash -c 'echo hello'"

If everything is configured correctly, you should receive a 403 Forbidden response, indicating that the request was blocked by SafeLine:

{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "18e0f220f7a94127acb21ad3c1b4ac47"
}

You can check the SafeLine dashboard for more detailed attack logs.

By following this guide, you'll have Ingress-Nginx integrated with SafeLine, helping you enhance the security of your Kubernetes clusters with minimal effort.

Boost API Security: Kong and SafeLine WAF Integration Guide

Lulu — Thu, 12 Sep 2024 10:48:31 +0000

Kong is a cloud-native, fast, scalable, and distributed microservices abstraction layer (also known as an API gateway or middleware). It offers robust traffic control, security, monitoring, and operational features through plugins.

Installing the Kong Plugin

Custom plugins can be installed via LuaRocks. Lua plugins are distributed as .rock packages, which are self-contained and can be installed from local or remote servers.

If you've installed Kong using the official package, the LuaRocks utility should already be included in your system.

To install the SafeLine plugin, follow these steps:

luarocks install kong-safeline

Then, enable the SafeLine plugin by adding the following configuration to your kong.conf file:

plugins = bundled,safeline              # Comma-separated list of plugins this node
                                        # should load. By default, only plugins
                                        # bundled in official distributions are
                                        # loaded via the `bundled` keyword.

This line adds SafeLine to the list of enabled plugins, alongside any bundled plugins in the official distribution.

Finally, restart the Kong Gateway:

kong restart

Using the SafeLine Plugin with Kong

To enable the SafeLine plugin for a specific service, configure the detector_host and safeline_port, which refer to the SafeLine detection engine's address and port, as set during the initial setup.

curl -X POST http://localhost:8001/services/{service}/plugins \
    --data "name=safeline" \
    --data "config.safeline_host=<detector_host>" \
    --data "config.safeline_port=<detector_port>"

Testing the Protection

To verify that SafeLine is working, you can simulate a simple SQL injection attack by sending a request to Kong. If SafeLine is protecting your service, you should receive a 403 Forbidden response.

curl -X POST http://localhost:8000?1=1%20and%202=2

You should get the following response:

{
  "code": 403,
  "success": false,
  "message": "blocked by Chaitin SafeLine Web Application Firewall",
  "event_id": "8b41a021ea9541c89bb88f3773b4da24"
}

Additionally, you can check SafeLine's dashboard to see a full record of the blocked attack.

Simple, Easy-to-Use, and Open-Source Web Application Firewall

Lulu — Thu, 12 Sep 2024 10:11:25 +0000

Today, I’m excited to introduce SafeLine, a free and open-source Web Application Firewall (WAF)!

GitHub: https://github.com/chaitin/safeline

SafeLine is an open-source WAF designed for simplicity and ease of use. It’s available as a community edition and can be installed quickly with minimal effort. SafeLine helps protect your web services by filtering incoming traffic from the internet, defending against a wide range of attacks like SQL injection, code injection, command injection, backdoors, and web crawlers.

Here’s an overview of how it works:

With over 200,000 installations worldwide and more than 1 million protected websites, SafeLine processes over 30 billion requests daily.

How to Install SafeLine

You can install SafeLine easily using a one-liner script:

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

For a detailed manual installation guide, check out the official tutorial here: https://docs.waf.chaitin.com/en/tutorials/install

Once installed, you can access the SafeLine dashboard at: https://<safeline-ip>:9443/

If it's your first time logging in, you'll need to initialize the admin account by running this command:

docker exec safeline-mgt resetadmin

This will generate the default username and password.

Key Features of SafeLine

Protects against a wide range of web attacks (including SQL injection, XSS, code injection, OS command injection, CRLF injection, XXE, SSRF, path traversal, etc.).
Blocks web crawlers and malicious scanners.
Dynamically encrypts front-end code.
Supports IP-based rate limiting (defends against DDoS, brute force attacks, and abnormal traffic).
Allows configuring HTTP access controls.

Optimizing Docker for High Security: Combining Docker and SafeLine

Lulu — Thu, 12 Sep 2024 09:31:35 +0000

Docker is an open-source application container engine built with Go and follows the Apache 2.0 protocol. It enables developers to package their applications and dependencies into lightweight, portable containers. These containers can be deployed on any popular Linux machine, offering a form of lightweight virtualization. Each container operates in complete isolation (similar to iPhone apps), and most importantly, the performance overhead is minimal.

Docker Installation

Here's how to install Docker on CentOS:

1.Install Docker Image

curl -fsSL https://get.docker.com | bash -s docker --mirror Aliyun

2.Set Up Stable Repositories

sudo yum-config-manager --add-repo http://mirrors.aliyun.com/docker-ce/linux/centos/docker-ce.repo

3.Install Required Packages

sudo yum install -y yum-utils device-mapper-persistent-data lvm2

4.Remove Old Docker Versions (if any)

yum remove docker docker-client docker-common docker-latest docker-engine

5.List Available Docker Versions

yum list docker-ce --showduplicates | sort -r

6.Install Selected Version (e.g., 19.03.13)

yum install docker-ce-19.03.13 docker-ce-cli-19.03.13 containerd.io

7.Alternatively, Install the Latest Version

yum -y install docker-ce

8.Start and Enable Docker

systemctl start docker
systemctl enable docker

Optimization

When deploying services, it’s best to tune the system for minimal service disruption. Below are some optimizations to improve Docker's performance.

Step 1: Directory Migration

# Stop Docker service
systemctl stop docker

# Create new directory for Docker data
mkdir -p /home/jamelli/docker/data/lib

# Copy existing Docker data to the new directory
rsync -r -avz /var/lib/docker /home/jamelli/docker/data/lib

Step 2: Configure Docker to Use New Directory

cat <<EOF > /etc/systemd/system/docker.service.d/devicemapper.conf
[Service]
ExecStart=
ExecStart=/usr/bin/dockerd --graph=/home/jamelli/docker/data/lib/docker
EOF

# Reload and restart Docker
systemctl daemon-reload
systemctl restart docker

Log Optimization

To manage log file size and avoid excessive disk usage, configure log rotation:

cat <<EOF > /etc/docker/daemon.json
{
    "log-driver": "json-file",
    "log-opts": {
        "max-size": "100m",
        "max-file": "3"
    }
}
EOF

Disk Optimization

Use these commands to clean up unused containers, volumes, and images:

docker system df
docker system prune
docker system prune -a

To check detailed disk usage:

docker system df -v

Docker Commands You Should Know

docker system df: Check Docker’s memory usage
docker image: View Docker image contents
docker info: Get Docker system information
docker stats: View container resource usage (CPU, memory)
docker logs --tail=10 -f <container-name>: View container logs in real-time

SafeLine WAF Integration

Now that Docker is installed and optimized, you can further secure your infrastructure by deploying SafeLine WAF, a powerful and free web application firewall. Here's how to install SafeLine on your Dockerized system:

1.Install SafeLine

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

2.Access SafeLine
After installation, open port 9443 on your firewall to access the SafeLine management interface:

# Open port 9443
firewall-cmd --zone=public --add-port=9443/tcp --permanent
firewall-cmd --reload

Then, access SafeLine at:

https://<your-server-ip>:9443/

3.Protect Your Web Apps
With SafeLine, your Dockerized applications will be protected against common attacks like SQL injections, XSS, and DDoS threats. SafeLine’s traffic processing engine, built on Nginx, ensures that your applications are secure while maintaining high performance.

Solving Common Docker Issues

When pulling Docker images, if you encounter the following error:

Error response from daemon: net/http: TLS handshake timeout

You can resolve this by adding a Docker mirror:

sudo vim /etc/docker/daemon.json
{
  "registry-mirrors": ["https://docker.mirrors.ustc.edu.cn"]
}

Then reload and restart Docker:

systemctl daemon-reload
systemctl restart docker

How to Secure Your Web Apps: A Free and Powerful WAF

Lulu — Thu, 12 Sep 2024 09:00:00 +0000

A Web Application Firewall (WAF) operates at the application layer, providing protection for web requests and responses. WAFs can safeguard your web applications from common threats such as SQL injections, cross-site scripting (XSS), and other vulnerabilities. Additionally, they can monitor and filter traffic that may lead to Denial of Service (DoS) attacks, helping ensure the availability and security of your web services.

SafeLine: A Powerful and Free WAF Tool

Today, we’re introducing SafeLine, a robust and free WAF solution. SafeLine’s traffic processing engine is built on top of Nginx, offering excellent stability and performance for handling high volumes of web traffic.

Installation

You can install SafeLine via the command line with the following steps:

Step 1: Install SafeLine

bash -c "$(curl -fsSLk https://waf.chaitin.com/release/latest/setup.sh)"

Step 2: Install Docker

curl -sSL "https://get.docker.com/" | bash

When prompted, type y to confirm and wait for the installation to complete.

Access SafeLine

After installation, open port 9443 on your firewall to allow access:

# Open port 9443
firewall-cmd --zone=public --add-port=9443/tcp --permanent   
# Apply the configuration
firewall-cmd --reload

Now, you can access SafeLine by navigating to the following URL:

https://<your-server-ip>:9443/

Once you log in, you’ll be able to start using SafeLine to protect your applications.

Uninstallation

If you decide you no longer need SafeLine, follow these steps to uninstall it completely:

1.Navigate to the SafeLine directory:

cd <safeline-directory>

2.Stop the SafeLine service:

docker compose down

3.Remove all SafeLine data:

rm -rf <safeline-directory>